How secure is your Cisco SDN?

The architecture of the ancient Rajput fortress of Jaisalmer in Rajasthan (India) might provide a suitable analogy to describe the need for multiple rings of security. Architected with 3 walls, one of stone and two more within, it ensured that there was no single point where security could be breached. If the external wall was breached by the enemy, they would potentially be stopped at the second wall. If the second wall was breached, the enemy got trapped between the 2nd and 3rd walls where the Rajput defenders would pour cauldrons of boiling oil on the trapped attackers. Similarly in network security there is no such thing as the ultimate perimeter based firewall or the ultimate malware detection tool. You need all of the above and still face the risk that some APT or malware will penetrate all your defenses.

Imagine this scenario: You are a service provider with a large data center; you have invested over the years in big iron routers and switches from Cisco and Juniper. You see the dawn of a new era where you can reduce the provisioning time for circuits and the cycle time for rollout of new services. After making sense of the confusing SDN messaging from major switch & router vendors you finally decide to use open source OpenStack for orchestration, Cisco APIC software to assign policy to flows and manage the Cisco ACI fabric comprising high end Cisco Nexus 9000 switches. Now what security issues do you face?

For one, the SDN stack itself is susceptible to Denial-of-Service (DoS) attacks. An attacker could potentially saturate the control plane with useless traffic to a point where the centralized SDN controller’s voice never gets heard by the data plane. In theory, Cisco could use open source “Snort” (derived from SourceFire) to detect an attack and communicate this to the SDN controller which could reprogram the network to block the attack. However Snort while being a good open source IPS/IDS (with a rule based language combining signature, protocol and anomaly based inspection), is still reliant on regular signature updates. Snort has no way to detect web exploits like malicious Javascript. Snort may not help you with attacks like Advanced Persistent Threats (APT). In addition to this, OpenStack itself has a range of security related vulnerabilities as listed here.

Cisco made ~23 security related acquisitions before acquiring SourceFire, Cognitive Security and others. To date, vendors like Palo Alto Networks (mfr. of application aware firewalls), FireEye (mfr. of virtual machine based security), Mandiant (provider of incident response) and others have already carved out extensive security market-share at Cisco’s expense. Time will tell if Cisco can actually integrate all the useful but disparate security related acquisitions to provide meaningful security for your SDN or whether they will leave the field open for the next generation of security upstarts. Phil Porras of SRI International mentions interesting security related use-cases for SDN like reflector nets, quarantine systems, emergency broadcasts & tarpits where SDN can be used to go beyond just blocking network attacks. It will be interesting to see if Cisco and Juniper can come up with imaginative solutions like these to adopters of their proprietary SDN solutions.